diff options
| author | Allan Sandfeld Jensen <allan.jensen@digia.com> | 2013-01-23 12:17:32 +0100 |
|---|---|---|
| committer | The Qt Project <gerrit-noreply@qt-project.org> | 2013-01-23 18:59:21 +0100 |
| commit | c0a3b64d8e6f8eac5a8e65cdb337e24e112da2c3 (patch) | |
| tree | 2241523e73cd66381c519dd083ef7caece6fe979 /Source/JavaScriptCore/runtime/JSObject.cpp | |
| parent | 9a0c51e753db9e4164df97801f132237e62387de (diff) | |
| download | qtwebkit-c0a3b64d8e6f8eac5a8e65cdb337e24e112da2c3.tar.gz | |
Heap-use-after-free in WebCore::XMLDocumentParser::doEnd
https://bugs.webkit.org/show_bug.cgi?id=100152
Reviewed by Adam Barth.
XMLDocumentParser can be blown away inside document()->styleResolverChanged()
call. Protect it with a local RefPtr in Document::explitClose.
No new tests. The site specific dependencies are hard to minimize.
* dom/Document.cpp:
(WebCore::Document::explicitClose): RefPtr m_parser into a local, since
it can be detached and nulled out in DocumentWriter::end().
* xml/parser/XMLDocumentParser.cpp:
(WebCore::XMLDocumentParser::end): Bail out when we are detached.
* xml/parser/XMLDocumentParserLibxml2.cpp:
(WebCore::XMLDocumentParser::doEnd): Bail out when we are detached.
* xml/parser/XMLDocumentParserQt.cpp:
(WebCore::XMLDocumentParser::doEnd): Bail out when we are detached.
Change-Id: If7ff9142c561391e7c30632a9b8fb9cbb284fb2c
Reviewed-by: Simon Hausmann <simon.hausmann@digia.com>
Diffstat (limited to 'Source/JavaScriptCore/runtime/JSObject.cpp')
0 files changed, 0 insertions, 0 deletions